Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

policy (Security IPsec)

 

Syntax

Hierarchy Level

Release Information

Statement modified in Junos OS Release 8.5.

Support for group 14 is added in Junos OS Release 11.1.

Support for group14 options added in Junos OS Release 11.1.

Support for group19, group20, and group24 options added in Junos OS Release 12.1X45-D10.

group15, group16, and group21 options introduced in Junos OS Release 19.1R1 on SRX Series devices.

Support for suiteb-gcm-128 and suiteb-gcm-256 options added in Junos OS Release 12.1X45-D10. Support for prime-128 and prime-256 options added in Junos OS Release 15.1X49-D40.

Starting in Junos OS Release 20.2R1, we’ve changed the help text description as NOT RECOMMENDED for the CLI options group1, group2, group5, and group14.

Description

Define an IPsec policy. An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection.

Options

nameName of the IPsec policy.
descriptionEnter descriptive text for an IPsec policy.
perfect-forward-secrecy keysSpecify Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. PFS generates each new encryption key independently from the previous key. The device deletes existing IPsec SAs when you update the perfect-forward-secrecy configuration in the IPsec policy.

Values:

  • group1—Diffie-Hellman Group 1.

  • group14—Diffie-Hellman Group 14.

  • group19—Diffie-Hellman Group 19.

  • group2—Diffie-Hellman Group 2.

  • group20—Diffie-Hellman Group 20.

  • group24—Diffie-Hellman Group 24.

  • group5—Diffie-Hellman Group 5.

  • group15—Diffie-Hellman Group 15.

  • group16—Diffie-Hellman Group 16.

  • group21—Diffie-Hellman Group 21.

proposal-setDefine a set of default IPsec proposals.

Values:

  • basic—IPsec basic proposal-set. nopfs-esp-des-sha and nopfs-esp-des-md5.

  • compatible—IPsec compatible proposal-set. nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and nopfs-esp-des-md5.

  • prime-128—Provides the following proposal set:

    • Encapsulating Security Payload (ESP) protocol

    • Encryption algorithm—Advanced Encryption Standard Galois/Counter mode (AES-GCM)128-bit

    • Authentication algorithm—None (AES-GCM provides both encryption and authentication)

    This option is not supported on Group VPNv2.

  • prime-256—Provides the following proposal set:

    • ESP protocol

    • Encryption algorithm—AES-GCM 256-bit

    • Authentication algorithm—None (AES-GCM provides both encryption and authentication)

    This option is not supported on Group VPNv2.

  • standard—g2-esp-3des-sha and g2-esp-aes128-sha

  • suiteb-gcm-128—Provides the following proposal set:

    • ESP protocol

    • Encryption algorithm—AES-GCM 128-bit

    • Authentication algorithm—None (AES-GCM provides both encryption and authentication)

    This option is not supported on Group VPNv2.

  • suiteb-gcm-256—Provides the following proposal set:

    • ESP protocol

    • Encryption algorithm—AES-GCM 256-bit

    • Authentication algorithm—None (AES-GCM provides both encryption and authentication)

    This option is not supported on Group VPNv2.

proposals proposal-nameSpecify one or more proposals for an IPsec policy.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Related Documentation